OpenStack Identity (Keystone)
You can not select more than 25 topics Topics must start with a letter or number, can include dashes ('-') and can be up to 35 characters long.
 
 
 
 

550 lines
14 KiB

# variables in header
# variables in path
access_token_id_path:
description: |
The UUID of the access token.
in: path
required: true
type: string
consumer_id_path:
description: |
The UUID of the consumer.
in: path
required: true
type: string
domain_id:
description: |
The UUID of the domain.
in: path
required: true
type: string
endpoint_group_id_path:
description: |
The UUID of the endpoint group.
in: path
required: false
type: string
endpoint_id_path:
description: |
The endpoint ID.
in: path
required: true
type: string
group_id:
description: |
The UUID of the group.
in: path
required: true
type: string
name:
description: |
The name of the group.
in: path
required: true
type: string
policy_id_path:
description: |
The policy ID.
in: path
required: true
type: string
project_id_path:
description: |
The UUID of the project.
in: path
required: true
type: string
region_id_path:
description: |
The region ID.
in: path
required: true
type: string
role_id_path:
description: |
The UUID of the role.
in: path
required: true
type: string
service_id_path:
description: |
The service ID.
in: path
required: true
type: string
trust_id_path:
description: |
The trust ID.
in: path
required: true
type: string
user_id_path:
description: |
The UUID of the user.
in: path
required: true
type: string
# variables in query
since_query:
description: |
A timestamp used to limit the list of results to events
that occurred on or after the specified time.
(RFC 1123 format date time)
in: query
required: false
type: string
# variables in body
allow_redelegation:
description: |
If set to `true` then a trust between a ``trustor`` and any third-party
user may be issued by the ``trustee`` just like a regular trust.
If set to `false`, stops further redelegation. `false` by default.
in: body
required: false
type: boolean
consumer_description:
description: |
The consumer description.
in: body
required: false
type: string
consumer_id:
description: |
The ID of the consumer.
in: body
required: true
type: string
eg_description:
description: |
The endpoint group description.
in: body
required: false
type: string
eg_filters:
description: |
Describes the filtering performed by the endpoint group. The filter used must
be an ``endpoint`` property, such as ``interface``, ``service_id``,
``region_id`` and ``enabled``. Note that if using ``interface`` as a filter,
the only available values are ``public``, ``internal`` and ``admin``.
in: body
required: true
type: object
eg_name:
description: |
User-facing name of the service.
in: body
required: true
type: string
endpoint_id:
description: |
The endpoint UUID.
in: body
required: true
type: string
endpoints:
description: |
An ``endpoints`` object.
in: body
required: true
type: array
endpoints_links:
description: |
The links for the ``endpoints`` resource.
in: body
required: true
type: object
id:
description: |
[WIP]
in: body
required: true
type: string
impersonation:
description: |
If set to `true`, then the user attribute of tokens generated based on the
trust will represent that of the ``trustor`` rather than the ``trustee``,
thus allowing the ``trustee`` to impersonate the ``trustor``. If impersonation
is set to `false`, then the token’s user attribute will represent that of the
``trustee``.
in: body
required: true
type: boolean
interface:
description: |
The interface type, which describes the
visibility of the endpoint. Value is: - ``public``. Visible by
end users on a publicly available network interface. -
``internal``. Visible by end users on an unmetered internal
network interface. - ``admin``. Visible by administrative users
on a secure network interface.
in: body
required: true
type: string
links:
description: |
A links object.
in: body
required: true
type: object
name_1:
description: |
The role name.
in: body
required: true
type: string
name_2:
description: |
The name of the group.
in: body
required: true
type: string
next:
description: |
The ``next`` relative link for the ``endpoints``
resource.
in: body
required: true
type: string
oauth_expires_at:
description: |
The date and time when an oauth token expires.
The date and time stamp format is `ISO 8601
<https://en.wikipedia.org/wiki/ISO_8601>`_:
::
CCYY-MM-DDThh:mm:ss±hh:mm
The ``±hh:mm`` value, if included, is the time zone as an offset
from UTC.
For example, ``2015-08-27T09:49:58-05:00``.
If the Identity API does not include this attribute or its value is
``null``, the token never expires.
in: body
required: false
type: string
oauth_token:
description: |
The key value for the oauth token that the Identity API returns.
in: body
required: true
type: string
oauth_token_secret:
description: |
The secret value associated with the oauth Token.
in: body
required: true
type: string
policy:
description: |
A ``policy`` object.
in: body
required: true
type: object
policy_blob:
description: |
The policy rule itself, as a serialized blob.
in: body
required: true
type: object
policy_id:
description: |
The ID of the policy.
in: body
required: true
type: string
policy_links:
description: |
The links for the ``policy`` resource.
in: body
required: true
type: object
policy_type:
description: |
The MIME media type of the serialized policy
blob. From the perspective of the Identity API, a policy blob can
be based on any technology. In OpenStack, the ``policy.json`` blob
(``type="application/json"``) is the conventional solution.
However, you might want to use an alternative policy engine that
uses a different policy language type. For example,
``type="application/xacml+xml"``.
in: body
required: true
type: string
previous:
description: |
The ``previous`` relative link for the
``endpoints`` resource.
in: body
required: true
type: string
project_id:
description: |
The ID of the project.
in: body
required: true
type: string
redelegated_trust_id:
description: |
Returned with redelegated trust provides information about the predecessor
in the trust chain.
in: body
required: false
type: string
redelegation_count:
description: |
Specifies the maximum remaining depth of the redelegated trust chain.
Each subsequent trust has this field decremented by `1` automatically.
The initial ``trustor`` issuing new trust that can be redelegated, must
set ``allow_redelegation`` to `true` and may set ``redelegation_count``
to an integer value less than or equal to ``max_redelegation_count``
configuration parameter in order to limit the possible length of derivated
trust chains. The trust issued by the trustor using a project-scoped token
(not redelegating), in which ``allow_redelegation`` is set to `true` (the new
trust is redelegatable), will be populated with the value specified in the
``max_redelegation_count`` configuration parameter if ``redelegation_count``
is not set or set to `null`. If ``allow_redelegation`` is set to `false`
then ``redelegation_count`` will be set to `0` in the trust.
If the trust is being issued by the ``trustee`` of a redelegatable trust-scoped
token (redelegation case) then ``redelegation_count`` should not be set, as it
will automatically be set to the value in the redelegatable trust-scoped token
decremented by `1`. Note, if the resulting value is `0`, this means that the new
trust will not be redelegatable, regardless of the value of ``allow_redelegation``.
in: body
required: false
type: integer
region:
description: |
(Deprecated in v3.2) The geographic location of
the service endpoint.
in: body
required: true
type: string
remaining_uses:
description: |
Specifies how many times the trust can be used to obtain a token. This value
is decreased each time a token is issued through the trust. Once it reaches
`0`, no further tokens will be issued through the trust. The default value is
`null`, meaning there is no limit on the number of tokens issued through the
trust. If redelegation is enabled it must not be set.
in: body
required: false
type: boolean
requested_project_id:
description: |
The ID of the requested project.
in: body
required: true
type: string
revoke_audit_chain_id:
description: |
Specifies a group of tokens based upon the ``audit_id`` of the
first token in the chain.
If a revocation event specifies the ``audit_chain_id`` any
token that is part of the token chain (based upon the original
token at the start of the chain) will be revoked, including
the original token at the start of the chain.
If an event is issued for ``audit_chain_id`` then the event cannot
contain an ``audit_id``.
in: body
required: true
type: string
revoke_audit_id:
description: |
Specifies the unique identifier (UUID) assigned to the token
itself.
This will revoke a single token only. This attribute mirrors
the use of the Token Revocation List (the mechanism used
prior to revocation events) but does not utilize data that
could convey authorization (the token id).
If an event is issued for ``audit_id`` then the event cannot
contain an ``audit_chain_id``.
in: body
required: true
type: string
revoke_consumer_id:
description: |
Revoke tokens issued to a specific OAuth consumer, as part
of the OS-OAUTH1 API extension.
in: body
required: true
type: string
revoke_domain_id:
description: |
Revoke tokens scoped to a particular domain.
in: body
required: true
type: string
revoke_events:
description: |
List of recovation events.
in: body
required: true
type: string
revoke_expires_at:
description: |
Specifies the exact expiration time of one or more tokens to
be revoked.
This attribute is useful for revoking chains of tokens, such
as those produced when re-scoping an existing token. When a
token is issued based on initial authentication, it is given
an expires_at value. When a token is used to get another
token, the new token will have the same expires_at value as
the original.
in: body
required: true
type: string
revoke_issued_before:
description: |
(string, ISO 8601 extended format date time with
microseconds).
Tokens issued before this time are considered revoked.
This attribute can be used to determine how long the
expiration event is valid. It can also be used in
queries to filter events, so that only a subset that
have occurred since the last request are returned.
in: body
required: true
type: string
revoke_project_id:
description: |
Revoke tokens scoped to a particular project.
in: body
required: true
type: string
revoke_role_id:
description: |
Revoke tokens issued with a specific role.
in: body
required: true
type: string
revoke_trust_id:
description: |
Revoke tokens issued as the result of a particular
trust, as part of the OS-TRUST API extension.
in: body
required: true
type: string
revoke_user_id:
description: |
Revoke tokens expressing the identity of a particular user.
in: body
required: true
type: string
roles:
description: |
A roles object.
in: body
required: true
type: array
roles_links:
description: |
A roles links object. Includes ``next``,
``previous``, and ``self`` links for roles.
in: body
required: true
type: object
self:
description: |
The ``self`` relative link for the ``endpoints``
resource.
in: body
required: true
type: string
service_id:
description: |
The UUID of the service to which the endpoint
belongs.
in: body
required: true
type: string
trust:
description: |
A trust object.
in: body
required: true
type: object
trust_expires_at:
description: |
Specifies the expiration time of the trust. A trust may be revoked ahead of
expiration. If the value represents a time in the past, the trust is deactivated.
In the redelegation case it must not exceed the value of the corresponding
``expires_at`` field of the redelegated trust or it may be omitted, then the
``expires_at`` value is copied from the redelegated trust.
in: body
required: false
type: string
trust_id:
description: |
The ID of the trust.
in: body
required: true
type: string
trust_links:
description: |
A trust links object. Includes ``next``, ``previous``, and ``self`` links for trusts.
in: body
required: true
type: object
trust_project_id:
description: |
Identifies the project upon which the trustor is delegating authorization.
in: body
required: false
type: string
trust_roles:
description: |
Specifies the subset of the trustor’s roles on the ``project_id`` to be granted
to the ``trustee`` when the token is consumed. The ``trustor`` must already be
granted these roles in the project referenced by the ``project_id`` attribute.
If redelegation is used (when trust-scoped token is used and consumed trust has
``allow_redelegation`` set to `true`) this parameter should contain redelegated
trust’s roles only.
Roles are only provided when the trust is created, and are subsequently available
as a separate read-only collection. Each role can be specified by either ``id`` or
``name``.
in: body
required: false
type: list
trustee_user_id:
description: |
Represents the user who is capable of consuming the trust.
in: body
required: true
type: string
trustor_user_id:
description: |
Represents the user who created the trust, and who’s authorization is being delegated.
in: body
required: true
type: string
trusts:
description: |
An array of trust objects.
in: body
required: true
type: array
url:
description: |
The endpoint URL.
in: body
required: true
type: string